5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58369

GHSA ID

GHSA-rrw2-px9j-qffj

EPSS Score

CWE

CWE-400

Published

9/5/2025

Updated

9/5/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58369

CVE-2025-58369: FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

Impact

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed.

This could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state.

Note: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2's TLS support.

Patches

Fixed in fs2 3.12.2 and 3.13.0-M7.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue. Contact the Typelevel Security Team.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58369

GHSA ID

GHSA-rrw2-px9j-qffj

EPSS Score

CWE

CWE-400

Published

9/5/2025

Updated

9/5/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
co.fs2:fs2-io_2.12	maven	< 3.12.2	3.12.2
co.fs2:fs2-io_2.12	maven	>= 3.13.0-M1, < 3.13.0-M7	3.13.0-M7
co.fs2:fs2-io_2.13	maven	< 3.12.2	3.12.2
co.fs2:fs2-io_2.13	maven	>= 3.13.0-M1, < 3.13.0-M7	3.13.0-M7
co.fs2:fs2-io_3	maven	< 3.12.2	3.12.2
co.fs2:fs2-io_3	maven	>= 3.13.0-M1, < 3.13.0-M7	3.13.0-M7
co.fs2:fs2-io_0.26	maven	< 3.12.2
co.fs2:fs2-io_0.27	maven	< 3.12.2
co.fs2:fs2-io_2.11	maven	< 3.12.2
co.fs2:fs2-io_2.12.0-M4	maven	< 3.12.2
co.fs2:fs2-io_2.12.0-RC1	maven	< 3.12.2
co.fs2:fs2-io_2.12.0-M5	maven	< 3.12.2
co.fs2:fs2-io_2.12.0-RC2	maven	< 3.12.2
co.fs2:fs2-io_2.13.0-M5	maven	< 3.12.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a denial-of-service caused by a spin loop in fs2-io when a client half-closes a connection during a TLS handshake. The provided patches (46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976 and 5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c) point to a fix in the io/jvm/src/main/scala/fs2/io/net/SelectingSocketGroup.scala file, specifically within the server method of the SelectingSocketGroup class.

The analysis of the patch shows that the change is in the resource cleanup phase of the ServerSocketChannel. The original code simply closed the channel. The patched code introduces a waitForDeregistration mechanism that ensures the channel is no longer registered with the selector before the cleanup is considered complete. This directly addresses the root cause of the spin loop, which is the selector repeatedly and incorrectly reporting a closed channel as ready for an operation.

Therefore, the vulnerable function is identified as fs2.io.net.SelectingSocketGroup.server. Although the symptom (the spin loop) would be observed in a thread performing a read operation, the actual flaw is in the setup and teardown logic of the server socket managed by this function. An attacker could exploit this by creating many connections to a server using fs2-io with TLS and then half-closing them, causing the server to consume excessive CPU resources and become unresponsive.

Vulnerable functions

fs2.io.net.SelectingSocketGroup.server

io/jvm/src/main/scala/fs2/io/net/SelectingSocketGroup.scala

The vulnerability lies in the resource cleanup of the server socket. The original implementation `F.delay(ch.close())` did not ensure that the channel was deregistered from the selector before closing. This could lead to a condition where the selector would continuously and immediately return, causing a spin loop and high CPU usage, especially during a TLS handshake where a peer might close its write stream. The patch introduces `waitForDeregistration`, which actively waits for the channel to be deregistered, thus preventing the spin loop. While the spin loop manifests during a read operation, the root cause is the improper resource management within the `server` function.

WAF Protection Rules

WAF Rule

### Imp**t W**n *st**lis*in* * TLS s*ssion usin* `*s*-io` on t** JVM usin* t** `*s*.io.n*t.tls` p**k***, i* on* si** o* t** *onn**tion s*uts *own writ* w*il* t** p**r si** is *w*itin* mor* **t* to pro*r*ss t** TLS **n*s**k*, t** p**r si** will spin l

Reasoning

T** vuln*r**ility is * **ni*l-o*-s*rvi** **us** *y * spin loop in `*s*-io` w**n * *li*nt **l*-*los*s * *onn**tion *urin* * TLS **n*s**k*. T** provi*** p*t***s (**************************************** *n* ****************************************) poi

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-58369: FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

Impact

Patches

Workarounds

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI